WORLD INTELLECTUAL PROPERTY ORGANIZATION 

International Bureau 



PCX 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification ^ : 

G06K 



A2 



(11) International Publication Number: 
(43) International Publication Date: 



WO 98/21683 

22 May 1998 (22.05.98) 



(21) International Application Number: 



PCT/IB97y01626 



(22) International Filing Date: 



6 November 1997 (06.11.97) 



(30) Priority Data: 

60/030,639 
Not furnished 



8 November 1996 (08.1 1.96) US 
6 November 1997 (06.1 1 .97) US 



(71) Applicant: FINJAN SOFTWARE, LTD. [IL/IL]; 42945 Ke- 

far-Haim (IL). 

(72) Inventor: TOUBOUL, Shlomo; 42945 Kcfar-Haim (IL). 



(81) Designated States: CA, IL, JP, European patent (AT, BE, CH, 
DE, DK, ES, FX, FR, GB, GR, IE, IT, LU, MC, NL, PT, 
SE). 



Published 

Without international search report and to be republished 
upon receipt of that report. 



(54) Title: SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOAD ABLES 



(57) Abstract 

A system protects a computer from suspicious 
Downloadables. The system comprises a security policy, 
an interface for receiving a Downloadable, and a com- 
parator, coupled to the interface, for applying the security 
policy to the Downloadable to determine if the security 
policy has been violated. The Downloadable may include 
a Java™ applet, an ActiveX™ control, a JavaScript™ 
script, or a Visual Basic script. The security policy may 
include a default security policy to be applied regardless 
of the client to whom the Downloadable is addressed, 
or a specific security policy to be applied based on the 
client or the group to which the client belongs. TTie sys- 
tem uses an ID generator to compute a Downloadables 
ID identifying the Downloadable, preferably, by fetch- 
ing all components of the Downloadable and performing 
a hashing function on the Downloadable including the 
fetched components. Further, the security policy may 
indicate several tests to perform, including (1) a compar- 
ison with known hostile and non-hostile Downloadables; 
(2) a comparison with Downloadables to be blocked or 
allowed per administrative override; (3) a comparison 
of the Downloadable security profile data against access 
control lists; (4) a comparison of a certificate embodied 
in the Downloadable against trusted certificates; and (5) 
a comparison of the URL from which the Downloadable 
originated against trusted and untrusted URLs. Based on 
these tests, a logical engine can determine whether to al- 
low or block the Downloadable. 
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SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK 



FROM HOSTILE DOWNLOADABLES 

BACKGROUND OF THE INVENTION 
5 1. Field of the Invention 

This invention relates generally to computer networks, and more particularly provides 

« 

a system and method for protecting a computer and a network from hostile Downloadables. 

2. Description of the Background Art 
10 The Internet is currently a collection of over 100,000 individual computer networks 

owned by governments, universities, nonprofit groups and companies, and is expanding at an 
accelerating rate. Because the Internet is public, the Internet has become a major source of 
many system damaging and system fatal application programs, commonly referred to as 
"viruses.'* 

15 Accordingly, programmers continue to design computer and computer network 

. security systems for blocking these viruses from attacking both individual and network 
computers. On the most part, these security systems have been relatively successful. 
However, these security systems are not configured to recognize computer viruses which 
have been attached to or configured as Downloadable application programs, coriimonly 

20 referred to as "Downloadables." A Downloadable is an executable application program, 
which is downloaded from a source computer and run on the destination computer. 
Downloadable is typically requested by an ongoing process such as by an Internet browser or 
web engine. Examples of Downloadables include Java'^ applets designed for use in the 
Java™ distributing environment developed by Sun Microsystems, Inc., JavaScript scripts also 
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developed by Sun Microsystems, Inc., ActiveX™ controls designed for use in the ActiveX 
distributing environment developed by the Microsoft Corporation, and Visual Basic also 
developed by the Microsoft Corporation. Therefore, a system and method are needed to 
protect a network from hostile Downloadables. 

5 

SUMMARY OF THE INVENTION 

The present invention provides a system for protecting a network from suspicious 
Downloadables. The system comprises a security policy, an interface for receiving a 
Downloadable, and a comparator, coupled to the interface, for applying the securii\ polic> lo 

10 the Downloadable to determine if the security policy has been violated. The Downloadable 
may include a Java™ applet, an ActiveX^'^ control, a JavaScript™ script, or a Visual Basic 
script. The security policy may include a default security policy to be applied regardless of 
the client to whom the Downloadable is addressed, a specific security policy to be applied 
based on the client or the group to which the client belongs, or a specific policy to be applied 

15 based on the client/group and on the particular Downloadable received. The system uses an 
ID generator to compute a Downloadable ID identifying the Downloadable, preferably, by 
fetching all components of the Downloadable and performing a hashing function on the 
Downloadable including the fetched components. 

Further, the security policy may indicate several tests to perform, including ( 1 ) a 

20 comparison with known hostile and non-hostile Downloadables; (2) a comparison with 
Downloadables to be blocked or allowed per administrative override; (3) a comparison of the 
Downloadable security profile data against access control lists; (4) a comparison of a 
certificate embodied in the Downloadable against trusted certificates; and (5) a comparison of 
the URL from which the Downloadable originated against trusted and untrusted URLs. 
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Based on these tests, a logical engine can determine whether to allow or block the 
Downloadable. 

The present invention further provides a method for protecting a computer from 
suspicious Downloadables. The method comprises the steps of receiving a Downloadable. 
5 comparing the Downloadable against a security poUcy to determine if the security policy has 
been violated, and discarding the Downloadable if the security policy has been violated. 

It will be appreciated that the system and method of the present invention may provide 
computer protection from known hostile Downloadables. The system and method of the 
present invention may identify Downloadables that perform operations deemed suspicious. 
10 The system and method of the present invention may examine the Downloadable code to 
determine whether the code contains any suspicious operations, and thus may allow or block 
the Downloadable accordingly. 



BRIEF DESCRIPTION OF THE DRAWINGS 
15 FIG. 1 is a block diagram illustrating a network system, in accordance with the 

present invention; 

FIG. 2 is a block diagram illustrating details of the intemal network security system of 

FIG. 1; 

FIG. 3 is a block diagram illustrating details of the security program and the security 
20 database of FIG. 2; 

FIG. 4 is a block diagram illustrating details of the security policies of FIG. 3; 

FIG. 5 is a block diagram illustrating details of the security management console of 

FIG. 1; 
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FIG. 6A is a flowchart illustrating a method of examining for suspicious 
Downloadables, in accordance with the present invention; 

FIG, 6B is a flowchart illustrating details of the step for finding the appropriate 
security policy of FIG. 6A; 
5 FIG. 6C is a flowchart illustrating a method for determining whether an incoming 

Downloadable is to be deemed suspicious; 

FIG. 7 is a flowchart illustrating details of the FIG. 6 step of decomposing a 
Downloadable; and 

FIG. 8 is a flowchart illustrating a method 800 for generating a Downloadable ID for 
10 identifying a Downloadable. 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

FIG. 1 is a block diagram illustrating a network system 100, in accordance with the 
present invention. The network system 100 includes an external computer network 105, such 

15 as the Wide Area Network (WAN) commonly referred to as the Internet, coupled via a 
communications channel 125 to an internal network securitv svstem 110. The network 
system 100 further includes an internal computer network 115, such as a corporate Local 
Area Network (LAN), coupled via a communications channel 130 to the internal network 
computer system 110 and coupled via a communications channel 135 to a security 

20 management console 1 20. 

The internal network security system 1 1 0 examines Downloadables received from 
external computer network 105, and prevents Downloadables deemed suspicious from 
reaching the internal computer network 115. It will be further appreciated that a 
Downloadable is deemed suspicious if it performs or may perform any undesirable operation. 
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or if it threatens or may threaten the integrity of an internal computer network 1 1 5 
component. It is to be understood that the term "suspicious" includes hostile, potentially 
hostile, undesirable, potentially undesirable, etc. Security management console 120 enables 
viewing, modification and configuration of the internal network security system 110. 

5 

FIG. 2 is a block diagram illustrating details of the internal network security system 
110, which includes a Central Processing Unit (CPU) 205, such as an Intel Pentium*' 
microprocessor or a Motorola Power PC® microprocessor, coupled to a signal bus 220. The 
internal network security system 110 further includes an external communications interface 

10 210 coupled between the communications channel 125 and the signal bus 220 for receiving 
Downloadables from external computer network 105, and an internal communications 
interface 225 coupled between the signal bus 220 and the communications channel 130 for 
forwarding Downloadables not deemed suspicious to the internal computer network 115. 
The external communications interface 210 and the internal communications interface 225 

15 may be functional components of an integral communications interface (not shown) for both 

receiving Downloadables from the external computer network 105 and forwarding 

Downloadables to the internal computer network 115. 

Internal network security system 110 further includes Input/Output (I/O) interfaces 

* 

215 (such as a keyboard, mouse and Cathode Ray Tube (CRT) display), a data storage 
20 device 230 such as a magnetic disk, and a Random-Access Memory (RAM) 235. each 
coupled to the signal bus 220. The data storage device 230 stores a security database 240, 
which includes security information for determining whether a received Downloadable is to 
be deemed suspicious. The data storage device 230 further stores a users list 260 identifying 
the users within the internal computer network 115 who may receive Downloadables, and an 
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event log 245 which includes determination results for each Downloadable examined and 
runtime indications of the internal network security system 110. An operating system 250 
controls processing by CPU 205, and is typically stored in data storage device 230 and 
loaded into RAM 235 (as illustrated) for execution. A security program 255 conirols 
5 examination of incoming Downloadables, and also may be stored in data storage device 230 
and loaded into RAM 235 (as illustrated) for execution by CPU 205. 

FIG. 3 is a block diagram illustrating details of the security program 255 and the 
security database 240. The security program 255 includes an ID generator 315, a policy 

10 finder 317 coupled to the ID generator 315, and a first comparator 320 coupled to the policy 
finder 317. The first comparator 320 is coupled to a logical engine 333 via four separate 
paths, namely, via Path 1, via Path 2, via Path 3 and via Path 4. Path 1 includes a direct 
connection from the first comparator 320 to the logical engine 333. Path 2 includes a code 
scanner coupled to the first comparator 320, and an Access Control List (ACL) comparaior 

15 330 coupling the code scanner 325 to the logical engine 333. Path 3 includes a certificate 
scanner 340 coupled to the first comparator 320, and a certificate comparator 345 coupling 
the certificate scanner 340 to the logical engine 333. Path 4 includes a Uniform Resource 
Locator (URL) comparator 350 coupling the first comparator 320 to the logical engine 3330. 
A record-keeping engine 335 is coupled between the logical engine 333 and the event log 

20 245. 

The security program 255 operates in conjunction with the security database 240, 
which includes security policies 305, known Downloadables 307, known Certificates 309 
and Downloadable Security Profile (DSP) data 310 corresponding to the known 
Downloadables 307. Security policies 305 includes policies specific to particular users 260 
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and default (or generic) policies for determining whether to allow or block an incoming 
Downloadable. These security policies 305 may identify specific Downloadables to block, 
specific Downloadables to allow, or necessary criteria for allowing an unknown 
Downloadable. Referring to FIG. 4, security poUcies 305 include policy selectors 405. 
5 access control lists 410, trusted certificate lists 415, URL rule bases 420. and lists 425 of 
Downloadables to allow or to block per administrative override. 

Known Downloadables 307 include lists of Downloadables which Original 
Equipment Manufacturers (OEMs) know to be hostile, of Downloadables which ()l:Ms 
know to be non-hostile, and of Downloadables previously received by this security program 

10 255. DSP data 310 includes the list of all potentially hostile or suspicious computer 
operations that may be attempted by each known Downloadable 307, and may also include 
the respective arguments of these operations. An identified argument of an operation is 
referred to as "resolved." An unidentified argument is referred to as "unresolved." DSP 
data 310 is described below with reference to the code scanner 325. 

15 The ID generator 315 receives a Downloadable (including the URL from which it 

came and the userlD of the intended recipient) from the external computer network 105 via 
the external communications interface 210, and generates a Downloadable ID for identifying 
each Downloadable. The Downloadable ID preferably includes a digital hash of the 
complete Downloadable code. The ID generator 315 preferably prefetches all components 

20 embodied in or identified by the code for Downloadable ID generation. For example, the ID 
generator 315 may prefetch all classes embodied in or identified by the Java™ applet 
bytecode to generate the Downloadable ID. Similarly, the ID generator 315 may retrieve all 
components listed in the .INF file for an ActiveX™ control to compute a Downloadable ID. 
Accordingly, the Downloadable ID for the Downloadable will be the same each time the ID 
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generator 315 receives the same Downloadable. The ID generator 315 adds the generated 
Downloadable ID to the list of known Downloadables 307 (if it is not already listed). The 
ID generator 315 then forwards the Downloadable and Downloadable ID to the policy finder 
317. 

5 The policy finder 3 1 7 uses the userlD of the intended user and the Downloadable ID 

to select the specific security policy 305 that shall be applied on the received Downloadable. 
If there is a specific policy 305 that was defined for the user (or for one of its super groups) 
and the Downloadable, then the policy is selected. Otherwise the generic policy 305 that 
was defined for the user (or for one of its super groups) is selected. The policy finder 3 1 7 

10 then sends the policy to the first comparator 320. 

The first comparator 320 receives the Downloadable, the Downloadable ID and the 
security policy 305 from the policy finder 317. The first comparator 320 examines the 
security policy 305 to determine which steps are needed for allowing the Downloadable. For 
example, the security policy 305 may indicate that, in order to allow this Downloadable, it 

15 must pass all four paths. Path 1, Path 2, Path 3 and Path 4. Alternatively, the security policy 
305 may indicate that to allow the Downloadable, the it must pass only one of the paths. 
The first comparator 320 responds by forwarding the proper information to the paths 
identified by the security policy 305. 

20 Path 1 

In path 1, the first comparator 320 checks the policy selector 405 of the security 
policy 305 that was received from the policy finder 317. If the policy selector 405 is either 
"Allowed" or "Blocked," then the first comparator 320 forwards this result directly to the 

J- 

logical engine 333. Otherwise, the first comparator 320 invokes the comparisons in path2 
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and/or path 3 and/or path 4 based on the contents of policy selector 405. It will be 
appreciated that the first comparator 320 itself compares the Downloadable ID against the 
lists of Downloadables to allow or block per administrative override 425. That is, the system 
security administrator can define specific Downloadables as ''Allowed" or ^'Blocked/' 
5 Alternatively, the logical engine 333 may receive the results of each of the paths and 

based on the policy selector 405 may institute the final determination whether to allow or 

■ 

block the Downloadable. The first comparator 320 informs the logical engine 333 of the 
results of its comparison. 



10 Path 2 

In path 2, the first comparator 320 delivers the Downloadable, the Downloadable ID 
and the security policy 305 to the code scanner 325. If the DSP data 310 of the received 
Downloadable is known, the code scanner 325 retrieves and forwards the information to the 
ACL comparator 330. Otherwise, the code scanner 325 resolves the DSP data 310. That is. 

15 the code scanner 325 uses conventional parsing techniques to decompose the code (including 
all prefetched components) of the Downloadable into the DSP data 310. DSP data 310 
includes the list of all potentially hostile or suspicious computer operations that may be 
attempted by a specific Downloadable 307, and may also include the respective arguments of 
these operations. For example, DSP data 310 may include a READ from a specific file, a 

20 SEND to an unresolved host, etc. The code scanner 325 may generate the DSP data 3 1 0 as a 
list of all operations in the Downloadable code which could ever be deemed potentially 
hostile and a list of all files to be accessed by the Downloadable code. It will be appreciated 
that the code scanner 325 may search the code for any pattern, which is undesirable or 
suggests that the code was written by a hacker. 
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An Example List of Operations Deemed Potentially Hostile 

• File operations: READ a file, WRITE a file; 

• Network operations: LISTEN on a socket, CONNECT to a socket, SEND data, 
RECEIVE data, VIEW INTRANET; 

• Registry operations: READ a registry item, WRITE a registry item; 

• Operating system operations: EXIT WINDOWS, EXIT BROWSER. STARI 
PROCESS/THREAD, KILL PROCESS/THREAD, CHANGE PROCESS/THREAD 
PRIORITY, DYNAMICALLY LOAD A CLASS/LIBRARY, etc.; and 

• Resource usage thresholds: memory, CPU, graphics, etc. 

In the preferred embodiment, the code scanner 325 performs a full-content inspection. 
However, for improved speed but reduced security, the code scanner 325 may examine only 
a portion of the Downloadable such as the Downloadable header. The code scanner 325 then 
stores the DSP data into DSP data 310 (corresponding to its Downloadable ID), and sends 
the Downloadable, the DSP data to the ACL comparator 330 for comparison v\iih ilic 
security policy 305. 

The ACL comparator 330 receives the Downloadable, the corresponding DSP data 
and the security policy 305 from the code scanner 325, and compares the DSP data against 
the security policy 305. That is, the ACL comparator 330 compares the DSP data of the 
received Downloadable against the access control lists 410 in the received security policy 
305. The access control list 410 contains criteria indicating whether to pass or fail the 
Downloadable. For example, an access control list may indicate that the Downloadable fails 
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if the DSP data includes a WRITE command to a system file. The ACL comparator 330 
sends its resuUs to the logical engine 333. 



Path 3 : 

In path 3, the certificate scanner 340 determines whether the received Downloadable 
was signed by a certificate authority, such as VeriSign, Inc., and scans for a certificate 
embodied in the Downloadable. The certificate scanner 340 forwards the found certificate to 
the certificate comparator 345. The certificate comparator 345 retrieves known certificates 
309 that were deemed trustworthy by the security administrator and compares the found 
certificate with the known certificates 309 to determine whether the Downloadable v\as 
signed by a trusted certificate. The certificate comparator 345 sends the results to the logical 
engine 333. 

Path 4: 

In path 4, the URL comparator 350 examines the URL identifying the source of the 
Downloadable against URLs stored in the URL rule base 420 to determine whether the 
Downloadable comes from a trusted source. Based on the security policy 305, the URL 
comparator 350 may deem the Downloadable suspicious if the Downloadable comes from an 
untrustworthy source or if the Downloadable did not come from a trusted source. For 
example, if the Downloadable comes from a known hacker, then the Downloadable may be 
deemed suspicious and presumed hostile. The URL comparator 350 sends its results to the 
logical engine 333. 
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The logical engine 333 examines the results of each of the paths and the policy 
selector 405 in the security poHcy 305 to determine whether to allow or block the 
Downloadable. The policy selector 405 includes a logical expression of the results received 
from each of the paths. For example, the logical engine 333 may block a Downloadable if it 
fails any one of the paths, i.e., if the Downloadable is known hostile (Path 1), if the 
Downloadable may request suspicious operations (Path 2), if the Downloadable was not 
signed by a trusted certificate authority (Path 3), or if the Downloadable did came from an 
untrustworthy source (Path 4). The logical engine 333 may apply other logical expressions 
according to the policy selector 405 embodied in the security policy 305. If the policy 
selector 405 indicates that the Downloadable may pass, then the logical engine 333 passes 
the Downloadable to its intended recipient. Otherwise, if the policy selector 405 indicates 
that the Downloadable should be blocked, then the logical engine 333 forwards a non-hostile 
Downloadable to the intended recipient to inform the user that internal network security 
system 1 10 discarded the original Downloadable. Further, the logical engine 333 forwards a 
status report to the record-keeping engine 335, which stores the reports in event log 245 in 
the data storage device 230 for subsequent review, for example, by the MIS director. 

FIG. 5 is a block diagram illustrating details of the security management console 120, 
which includes a security policy editor 505 coupled to the communications channel 135, an 
event log analysis engine 510 coupled between communications channel 135 and a user 
notification engine 515, and a Downloadable database review engine 520 coupled to the 
communications charmel 135. The security management console 120 further includes 
computer components similar to the computer components illustrated in FIG, 2. 
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The security policy editor 505 uses an I/O interface similar to I/O interface 215 for 
enabling authorized user modification of the security policies 305, That is, the security 
policy editor 505 enables the authorized user to modify specific security policies 305 
corresponding to the users 260, the default or generic security policy 305, the 
Downloadables to block per administrative override, the Downloadables to allow per 
administrative override, the trusted certificate lists 415, the policy selectors 405, the access 
control lists 410, the URLs in the URL rule bases 420, etc. For example, if the authorized 
user learns of a nev^ hostile Downloadable, then the user can add the Dovmloadable to the 
Downloadables to block per system override. 

The event log analysis engine 510 examines the status reports contained in the event 
log 245 stored in the data storage device 230. The event log analysis engine 510 determines 
whether notification of the user (e.g., the security system manager or MIS director) is 
warranted. For example, the event log analysis engine 510 may warrant user notification 
whenever ten (10) suspicious Downloadables have been discarded by internal network 
security system 110 within a thirty (30) minute period, thereby flagging a potential imminent 
security threat. Accordingly, the event log analysis engine 510 instructs the user noiitlcaiitin 
engine 515 to inform the user. The user notification engine 515 may send an e-mail via 
internal communications interface 220 or via external communications interface 210 to the 
user, or may display a message on the user's display device (not shown). 

FIG. 6A is a flowchart illustrating a method 600 for protecting an internal computer 
network 1 15 from suspicious Downloadables. Method 600 begins with the ID generator 3 1 5 
in step 602 receiving a Downloadable. The ID generator 315 in step 604 generates a 
Downloadable ID identifying the received Downloadable, preferably, by generating a digital 
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hash of the Downloadable code (including prefetched components). The policy finder 3 1 7 in 
step 606 finds the appropriate security policy 305 corresponding to the userlD specifying 
intended recipient (or the group to which the intended recipient belongs) and the 
Downloadable. The selected security policy 305 may be the default security policy 305. 
Step 606 is described in greater detail below with reference to FIG, 6B. 

The first comparator 320 in step 608 examines the Hsts of Downloadables to allow or 
to block per administrative override 425 against the Downloadable ID of the incoming 
Downloadable to determine whether to allow the Downloadable automatically. If so, then in 
step 612 the first comparator 320 sends the results to the logical engine 333. If not. then the 
method 600 proceeds to step 610. In step 610, the first comparator 620 examines the lists of 
Downloadables to block per administrative override 425 against the Downloadable ID of the 
incoming Downloadable for determining whether to block the Downloadable automatically. 
If so, then the first comparator 420 in step 612 sends the results to the logical engine 333, 
Otherwise, method 600 proceeds to step 614. 

In step 614, the first comparator 320 determines whether the security policy 305 
indicates that the Downloadable should be tested according to Path 4, If not, then method 
600 jumps to step 618. If so, then the URL comparator 350 in step 616 compares the URL 
embodied in the incoming Downloadable against the URLs of the URL rules bases 420. and 
then method 600 proceeds to step 618. 

In step 618, the first comparator 320 determines whether the security policy 305 
indicates that the Downloadable should be tested according to Path 2. If not, then method 
600 jumps to step 620. Otherwise, the code scanner 235 in step 626 examines the DSP data 
310 based on the Downloadable ID of the incoming Downloadable to determine whether the 
Downloadable has been previously decomposed. If so, then method 600 jumps to step 630. 
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Otherwise, the code scanner 325 in step 628 decomposes the Downloadable into DSP data. 
Downloadable decomposition is described in greater detail with reference to l-lCi. 7. In sicp 
630, the ACL comparator 330 compares the DSP data of the incoming Downloadable against 
the access control lists 410 (which include the criteria necessary for the Downloadable to fail 
or pass the test). 

In step 620, the first comparator 320 determines whether the security policy 305 
indicates that the Downloadable should be tested according to Path 3. If not, then method 
600 returns to step 612 to send the results of each of the test performed to the logical engine 
333, Otherwise, the certificate scarmer 622 in step 622 scans the Downloadable for an 
embodied certificate. The certificate comparator 345 in step 624 retrieves trusted certificates 
from the trusted certificate lists (TCL) 415 and compares the embodied certificate with the 
trusted certificates to determine whether the Downloadable has been signed by a trusted 
source. Method 600 then proceeds to step 612 by the certificate scanner 345 sending the 
results of each of the paths taken to the logical engine 333. The operations of the logical 
engine 333 are described in greater detail below with reference to FIG. 6C. Method 600 then 
ends. 

One skilled in the art will recognize that the tests may be performed in a different 
order, and that each of the tests need not be performed. Further, one skilled in the art will 
recognize that, although path 1 is described in FIG. 6A as an automatic allowance or 
blocking, the results of Path 1 may be another predicate to be applied by the logical engine 
333. Further, although the tests are shown serially in FIG. 6A, the tests may be performed in 
parallel as illustrated in FIG. 3. 
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FIG. 6B is a flowchart illustrating details of step 606 of FIG. 6A (referred to herein as 
method 606). Method 606 begins with the poHcy finder 317 in step 650 determining 
whether security policies 305 include a specific security policy corresponding to the userlD 
and the Downloadable. If so, then the policy finder 317 in step 654 fetches the 
corresponding specific policy 305. If not, then the policy finder 317 in step 652 fetches the 
default or generic security policy 305 corresponding to the userlD. Method 606 then ends. 

FIG. 6C is a flowchart illustrating details of a method 655 for determining whether to 
allow or to block the incoming Downloadable. Method 655 begins with the logical engine 
333 in step 660 receiving the results from the first comparator 320, from the ACL 
comparator 330, from the certificate comparator 345 and from the URL comparator 350. 
The logical engine 333 in step 662 compares the results with the policy selector 405 
embodied in the security policy 305, and in step 664 determines whether the policy selector 
405 confirms the pass. For example, the policy selector 405 may indicate that the logical 
engine 333 pass the Downloadable if it passes one of the tests of Path 1, Path 2, Path 3 and 
Path 4. If the policy selector 405 indicates that the Downloadable should pass, then the 
logical engine 333 in step 666 passes the Downloadable to the intended recipient. In step 
668, the logical engine 333 sends the results to the record-keeping engine 335, which in turn 
stores the results in the event log 245 for future review. Method 655 then ends. Otherwise, 
if the policy selector 405 in step 664 indicates that the Downloadable should not pass, then 
the logical engine 333 in step 670 stops the Downloadable and in step 672 sends a non- 
hostile substitute Downloadable to inform the user that the incoming Downloadable has been 
blocked. Method 655 then jumps to step 668. 
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FIG. 7 is a flowchart illustrating details of step 628 of FIG. 6A (referred to herein as 
method 628) for decomposing a Downloadable into DSP data 310. Method 628 begins in 
step 705 with the code scanner 325 disassembling the machine code of the Downloadable. 
The code scanner 325 in step 710 resolves a respective command in the machine code, and in 
step 715 determines whether the resolved command is suspicious (e.g., whether the 
command is one of the operations identified in the Hst described above with reference to 
FIG. 3). If not, then the code scanner 325 in step 725 determines whether it has completed 
decomposition of the Downloadable, i.e., whether all operations in the Downloadable code 
have been resolved. If so, then method 628 ends. Otherwise, method 628 returns to step 
710. 

Otherwise, if the code scanner 325 in step 715determines that the resolved command 
is suspect, then the code scanner 325 in step 720 decodes and registers the suspicious 
command and its command parameters as DSP data 310. The code scanner 325 in step 720 
registers the commands and command parameters into a format based on command class 
(e.g., file operations, network operations, registry operations, operating system operations, 
resource usage thresholds). Method 628 then jumps to step 725. 

FIG. 8 is a flowchart illustrating a method 800 for generating a Downloadable ID tor 
identifying a Downloadable. Method 800 begins with the ID generator 315 in step 810 
receiving a Downloadable fi-om the external computer network 105. The ID generator 315 in 
step 820 may fetch some or all components referenced in the Downloadable code, and in 
step 830 includes the fetched components in the Downloadable code. The ID generator 315 
in step 840 performs a hashing function on at least a portion of the Downloadable code to 
generate a Downloadable ID. The ID generator 315 in step 850 stores the generated 
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Downloadable ID in the security database 240 as a reference to the DSP data 310. 
Accordingly, the Downloadable ID will be the same for the identical Downloadable cacli 
time it is encountered. 



The foregoing description of the preferred embodiments of the invention is by way of 
example only, and other variations of the above-described embodiments and methods are 
provided by the present invention. For example, although the invention has been described 
in a system for protecting an internal computer network, the invention can be embodied in a 
system for protecting an individual computer. Components of this invention may be 
implemented using a programmed general purpose digital computer, using application 
specific integrated circuits, or using a network of interconnected conventional components 
and circuits. The embodiments described herein have been presented for purposes of 
illustration and are not intended to be exhaustive or limiting. Many variations and 
modifications are possible in light of the foregoing teaching. The system is limited only by 
the following claims. 
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1 WHAT IS CLAIMED IS : 
2 

3 1 . A computer-based method, comprising the steps of: 

4 receiving a Downloadable; 

5 comparing the Downloadable against a security policy to determine if the 

6 security policy has been violated; and 

7 discarding the Downloadable if the security policy has been violated. 
8 

9 2. The method of claim 1, further comprising the steps of decomposing the 

10 Downloadable into Downloadable security profile data, and comparing the 

11 Downloadable security profile data against the security policy. 
12 

13 3. The method of claim 1, further comprising the steps of scanning for a 

14 certificate and comparing the certificate against a trusted certificate. 
15 

16 4. The method of claim 1, further comprising the step of comparing the URL 

17 from which the Downloadable originated against a known URL. 
18 

19 5. The method of claim 4, wherein the known URL is a trusted URL. 
20 

21 6. The method of claim 4, wherein the known URL is an untrusted URL. 
22 

23 7. The method of claim 1 , wherein the Downloadable includes a Java™ applet. 
24 
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25 8. The method of claim 1, wherein the Downloadable includes an ActiveX 

26 control. 
27 

28 9. The method of claim 1, wherein the Downloadable includes a JavaScript™ 

29 script. 

30 

31 10. The method of claim 1, wherein the Downloadable includes a Visual Basic 

32 script. 
33 

34 11. The method of claim 1 , wherein 

35 the Downloadable is addressed to a client; and 

36 the security policy includes a default security policy to be applied regardless of 

37 the client to whom the Downloadable is addressed. 
38 

39 12. The method of claim 1 , wherein 

40 the Downloadable is addressed to a client; and 

41 the security policy includes a specific security policy to be applied if the 

42 Downloadable is addressed to the client. 

43 

44 13. The method of claim 1, wherein 

45 the Downloadable is addressed to a client belonging to a group: and 

46 the security policy includes a specific security policy to be applied if the client 

47 belongs to a particular group. 
48 
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49 14. The method of claim 1, 

50 wherein the Downloadable is addressed to a client; and 

51 further comprising, after discarding the Downloadable, the step of sending a 

52 substitute non-hostile Downloadable to the cUent for informing the cUent. 
53 

54 15. The method of claim 1, further comprising, after discarding the Downloadable. 

■ 

55 the step of recording the violation in an event log. 
56 

57 16. The method of claim 1, further comprising the step of computing a 

58 Downloadable ID to identify the Downloadable. 
59 

60 17. The method of claim 16, further comprising the steps of fetching components 

61 identified by the Downloadable and including the fetched components in the 

62 Downloadable. 
63 

64 18. The method of claim 17, further comprising the step of performing a hashing 

65 function on the Downloadable. 
66 

67 19. The method of claim 17, further comprising the step of fetching all 

68 components identified by the Downloadable. 
69 

70 20. The method of claim 1 further comprising the step of examining the intended 

71 recipient userlD to determine the appropriate security policy. 
72 
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73 21. The method of claim 1, further comprising the step of examining the 

74 Downloadable to determine the appropriate security policy. 
75 

76 22. The method of claim 20, wherein the appropriate security policy includes the 

77 default security policy. 
78 

79 23. The method of claim 26, further comprising the step of including a previousU 

80 received Downloadable as a known Downloadable. 
81 

82 24. The method of claim 23, wherein the security policy identifies a 

83 Downloadable to be blocked per administrative override. 
84 

85 25. The method of claim 23, wherein the security policy identifies a 

86 Downloadable to be allowed per administrative override. 
87 

88 26, The method of claim 1, further comprising the step of comparing the 

89 Downloadable against a known Downloadable. 
90 

91 27. The method of claim 26, wherein the known Downloadable is hostile. 

92 

93 28. The method of claim 26, wherein the knovm Downloadable is non-hostile. 
94 
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95 29. The method of claim 2, wherein the security policy includes an access control 

96 list and further comprising the step of comparing the Downloadable securil\ proillc 

97 data against the access control list. 
98 

99 30. The method of claim 1, further comprising the step of informing a user upon 

100 detection of a security policy violation. 
101 

102 31. A system, comprising: 

103 a security policy; 

104 an interface for receiving a Downloadable; and 

105 a comparator, coupled to the interface, for applying the security policy to the 

106 Downloadable to determine if the security policy has been violated, 
107 

108 32. The system of claim 3 1 , wherein the Downloadable includes a Java™ applet. 
109 



TM 



110 33. The system of claim 31, wherein the Downloadable includes ActiveX 

111 control. 
112 

113 34. The system of claim 31, wherein the Downloadable includes a JavaScript^'^ 

114 script. 
115 

116 35. The system of claim 31, wherein the Downloadable includes a Visual Basic 

117 script. 

118 
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119 36. The system of claim 3 1 , wherein 

120 the Downloadable is addressed to a client; and 

121 the security policy includes a default security policy to be applied regardless of 

122 the client to whom the Downloadable is addressed. 
123 

124 37. The system of claim 3 1 , wherein 

125 the Downloadable is addressed to a client; and 

126 the security policy includes a specific security policy to be applied if the 

127 Downloadable is addressed to the client. 
128 

129 38. The system of claim 3 1 , wherein 

130 the Downloadable is addressed to a client belonging to a group; and 

131 the security policy includes a specific security policy to be applied if the client 

132 belongs to a particular group. 
133 

134 39. The system of claim 31, further comprising an ID generator coupled to the 

135 interface for computing a Downloadable ID identifying the Downloadable. 
136 

137 40. The system of claim 39, wherein the ID generator prefetches all components of 

138 the Downloadable and uses all components to compute the Downloadable ID. 
139 

140 41. The system of claim 40, wherein the ID generator computes the digital hash of 

141 all the prefetched components. 
142 
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143 42. The system of claim 31, further comprising a policy finder for finding the 

144 security policy. 
145 

146 43. The system of claim 42, wherein the policy finder finds the security policy 

147 based on the user. 
148 

149 44. The system of claim 42 wherein the policy finder finds the security policv 

150 based on the user and the Downloadable. 
151 

152 45. The system of claim 42, wherein the policy finder obtains the default security 

153 policy. 
154 

155 46. The system of claim 31 wherein the comparator examines the security policy 

156 to determine which tests to apply. 
157 

158 47. The system of claim 46 wherein the comparator compares the Downloadable 

159 against a known Downloadable. 
160 

161 48. The system of claim 47, wherein the known Downloadable is hostile. 

162 

163 49. The system of claim 47, wherein the known Downloadable is non-hostile. 
164 

165 50. The system of claim 31, wherein the security policy identifies a Downloadable 

166 to be blocked per administrative override. 
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167 

168 51. The system of claim 31, wherein the security pohcy identifies a Downloadable 

169 to be allowed per administrative override. 

170 

171 52. The system of claim 3 1 , wherein 

172 the Downloadable is addressed to a client; and 

173 the comparator sends a substitute non-hostile Downloadable to the client for 

174 informing the client. 
175 

176 53. The system of claim 31, further comprising a code scanner coupled to the 

177 comparator for decomposing the Downloadable into Downloadable security profile 

178 data. 
179 

180 54. The system of claim 53, further comprising an ACL comparator coupled to the 

181 code scanner for comparing the Downloadable security profile data against an access 

182 control list. 
183 

184 55. The system of claim 31, further comprising a certificate scanner coupled to the 

185 comparator for examining the Downloadable for a certificate. 
186 

187 56. The system of claim 55, further comprising a certificate comparator coupled to 

188 the certificate scanner for comparing the certificate against a trusted certificate. 
189 
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190 57. The system of claim 31, further comprising a URL comparator coupled to the 

191 comparator for comparing the URL from which the Downloadable originated against 

192 a known URL. 
193 

194 58. The system of claim 57, wherein the known URL identifies an untrusted URL. 
195 

196 59. The system of claim 57, wherein the known URL identifies a trusted URL. 
197 

198 60. The system of claim 31, further comprising a logical engine for responding to 

199 the results of the comparison. 
200 

201 61. The system of claim 31, wherein the logical engine responds according to the 

202 security policy. 
203 

204 62. The system of claim 31, further comprising a record-keeping engine coupled 

205 to the comparator for recording results in an event log. 
206 

207 63. A system, comprising: 

208 means for receiving a Downloadable; 

209 means for comparing the Downloadable against a security policy to determine 

210 if the security policy has been violated; and 

211 means for discarding the Downloadable if the security policy has been 

212 violated, 
213 
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214 64, A computer-readable storage medium storing program code for causing a 

215 computer to perform the steps of: 

216 receiving a Downloadable; 

217 comparing the Downloadable against a security policy to determine if the 

218 security policy has been violated; and 

219 discarding the Downloadable if the security policy has been violated. 
220 

221 65. A computer-based method for generating a Downloadable ID to identify a 

222 Downloadable, comprising the steps of: 

223 selecting Downloadable code; 

224 performing a function on the selected Downloadable code to generate the 

225 Downloadable ID; and 

226 storing the Downloadable ID. 

227 

228 66. The method of claim 65, wherein the function includes a hashing function. 
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67. The method of claim 65, wherein the Downloadable code includes a reference 
to a Downloadable component, and further comprising the step of fetching the 
component. 

68. The method of claim 67, wherein the component includes the first component 
referenced by the Downloadable code. 

69. The method of claim 65, wherein the selected Downloadable code includes all 
of the code included in and identified by the Downloadable. 

70. The method of claim 67, further comprising the step of fetching all 
components referenced by the Downloadable. 
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